Permission strings and file ownership
Unix supports three basic access permission attributes: read, write, and execute. There are some additional attributes that can be set but they are less frequently used. For files read access sets the ability for a user to view the contents of a file. Write access controlls the ability to delete or modify the contents of a file. Execute permission determines whether the shell will allow the file to be run as a program.For each file there are three sets of permissions: user, group, others (or "world"). The user permissions determines the access for the user account running the shell. The group permissions sets access for user accounts that are a member of the file's group. The permissions for others controlls access for any user account that is not the owner and is not a member of the file's group.
The long listing from the ls displays the permission
strings for user, group and others. An example:
|
||||
tuckerm@platypus:~> ls -l start-vnc.sh -rwxr-x--- 1 tuckerm tuckerm 777 Nov 7 14:09 start-vnc.sh* tuckerm@platypus:~> |
The permissions are listed in the first block of characters from
the output of the long listing (ls -l). See the
highlighted section below:
-rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txtThe first character, in this case the dash "-", designates the file type (regular file, link, directory, etc.). The following section is comprised of three groups of three characters. The first three characters display the current permissions relative to the owner of the file:
-rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txtThe group permissions are displayed in the next three characters:
-rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txtThe final three characters show the permissions for all other users on the system ("world") which are not the owner or a member of the file's group:
-rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txtEach block of three characters will be ordered as "rwx". The "r" designates that the user,group or other has read access to the file. This controlls the ability to view the contents of the file itself. If read access is not allowed there will be a dash ("-") character in its place. The "w" character designates whether the user, group or world has write access to the file. Write access allows the contents of the file to be modified and also controls the ability to delete the entire file. If write access is not allowed there will be a dash ("-") character in its place. The final character, "x", shows the execute permissions for the file. In unix the ability to execute a file as a program is not dependent on the file name or extension as it is in Windows/DOS. The execute permissions determine if the file may be executed. Even though a file may have execute permissions does not mean that the file will do anything meaningful when the shell attempts to run it. If execute access is not allowed there will be a dash ("-") character in its place.
Some examples:
-rw-r----- 1 tuckerm users 1254 Apr 1 14:09 some_file.txtIn the above example the user, tuckerm, has permission to read the file some_file.txt along with permission to modify or delete the file. Members of the group "users" may read the contents of the file but cannot change or delete the file. All other users will be denied access to the file. Nobody may execute the file as a program.
-r--rw-r-- 1 tuckerm users 1254 Apr 1 14:09 some_file.txtIn this example the user, tuckerm, can only read the file - even if they were a member of the "users" group. All other members of the group "users" may read and change/delete the file. Anyone else on the system is only allowed to read the file.
Directory Permissions
Permissions on directories are defined in the same way as regular files but their meaning is slightly different.
r Allows the user, group or world to view the contents of a
directory.
w Allows the user, group or world to create or delete files
within the directory.
x Allows the user, group or world to access (cd) the directory but
does not necessarily allow the user to read a listing of files
within the directory (unless the "r" attribute is
set).
These permissions only apply to the current directory and will not
apply to any subdirectories.
Changing permissions with chmod
The utility chmod is used to change the permissions
on a file or directory. The command accepts two (or more) options:
chmod <permissions> <file or directory>Permissions are defined by who the permission applies to, wheter the permission is added or removed, and what access permission is being designated.
u user permissions (owner)
g group permissions
o permissions for all others (world)
a permissions for all users (u,g and o)
The access permissions are designated with the same characters as
were used in the long listing output:
r read permission
w write permission
x execute permission
Below is an example of allowing read permissions for all group
members of a file:
|
||||
tuckerm@apollo:~> tuckerm@apollo:~> chmod g+r somefile.txt tuckerm@apollo:~> |
Another example removing write access for all users and adding
read access for the world:
|
||||
tuckerm@apollo:~> tuckerm@apollo:~> chmod a-w,o+r somefile.txt tuckerm@apollo:~> |
An example of giving full access to the owner of the file
|
||||
tuckerm@apollo:~> tuckerm@apollo:~> chmod u+rwx somefile.txt tuckerm@apollo:~> |
An example of removing all access for the group and world for the file
|
||||
tuckerm@apollo:~> tuckerm@apollo:~> chmod go-rwx somefile.txt tuckerm@apollo:~> |
There is a second way of specifying the permissions to update with chmod using a numeric representation of the file's permissions. An exmaple of this:
chmod 0750 somefile.txtIn this example the permissions are broken down into numeric values. The first digit is used to specify any special permission (sticky bit, setuid, etc.) or the type of entity (directory, file, link, etc). See the man page for chmod). For most common usage the first digit can be ignored. Following this first digit, the first set of 3 digits specifies the user permissions (owner). The second set of 3 is for group permissions and the third set is for other (world) permissions. Within each set of 3 digits:
1 x execute permissions
2 w write permissions
4 r read permissions
The numeric values for each access attribute are added up and
applied to the appropriate digit. For example, to set read and
write access (but not execute) to a give entity the value for read
access (4) would be added to the value for write (2) and would be
6. Therefore, to set read & write permissions for the user and
group but read-only for all others would be specified as 0664.
| access | user | group | others |
|---|---|---|---|
| read (r) | 4 | 4 | 4 |
| write (w) | 2 | 2 | 0 |
| execute (x) | 0 | 0 | 0 |
| Total | 6 | 6 | 4 |
Some examples of equivalent commands starting with the numeric method:
|
||||
tuckerm@apollo:~> ls -l some-file.txt ---------- 1 tuckerm students 0 Feb 1 17:11 some-file.txt tuckerm@apollo:~> chmod 0754 some-file.txt tuckerm@apollo:~> ls -l some-file.txt -rwxr-xr-- 1 tuckerm students 0 Feb 1 17:11 some-file.txt* tuckerm@apollo:~> |
The same operation using the symbolic notation:
|
||||
tuckerm@apollo:~> ls -l some-file.txt ---------- 1 tuckerm students 0 Feb 1 17:11 some-file.txt tuckerm@apollo:~> chmod u+rwx,g+rx,o+r some-file.txt tuckerm@apollo:~> ls -l some-file.txt -rwxr-xr-- 1 tuckerm students 0 Feb 1 17:11 some-file.txt* tuckerm@apollo:~> |
The chown command
The chown command is used by the system administrator
(root) to change the ownership of a file. As a user this command
will not be able to do anything:
|
||||
root@platypus:~# chown tuckerm labrun.test
|
The chgrp command
This command allows the user to change the group for a specified
file or directory. A user may only change the group of a file to
a group which the user account is a member of. chgrp
accepts two arguements. The first is the name of the group to
change to. The second is the file or directory to make the change
to. An example:
|
||||
tuckerm@apollo:~> ls -l start-vnc.sh
-rwxr-x--- 1 tuckerm tuckerm 777 Nov 7 14:09 start-vnc.sh*
tuckerm@apollo:~> chgrp faculty start-vnc.sh
tuckerm@apollo:~> ls -l start-vnc.sh
-rwxr-x--- 1 tuckerm faculty 777 Nov 7 14:09 start-vnc.sh*
tuckerm@apollo:~>
|
The groups command
The groups command simply lists all the groups that the current
user is a member of. Example:
|
||||
tuckerm@platypus:~> groups tuckerm student10 faculty tuckerm@platypus:~> |
umask
Theumask is often a command that is built in to the
shell. It is used to define the default permissions for newly
created files when using the shell. Generally this default will
be set by the system administrator. Sometimes it is beneficial to
set this to some other value depending on how secure or open
operations need to be. The command takes one argument which is
the numeric value of what the mask should be. It uses the inverse
of the numeric permission string (see chmod) to define the default
permissions. So, if new file permissions are to be set as 0777,
then a umask of 000 would be appropriate. To restrict all world
access to new files the umask should be set to 007 (newly created
files would have permissions of 0770).
|
||||
tuckerm@apollo:~> touch newfile tuckerm@apollo:~> ls -l newfile -rw-rw-r-- 1 tuckerm tuckerm 0 Feb 1 17:41 newfile tuckerm@apollo:~> umask 0777 tuckerm@apollo:~> touch another_file tuckerm@apollo:~> ls -l another_file ---------- 1 tuckerm tuckerm 0 Feb 1 17:41 another_file tuckerm@apollo:~> umask 0037 tuckerm@apollo:~> touch last_file tuckerm@apollo:~> ls -l last_file -rw-r----- 1 tuckerm tuckerm 0 Feb 1 17:42 last_file tuckerm@apollo:~> |
touch
The touch command is used to create a new, empty file or to modify the date and time of an existing file. If the file exists touch will update the modification time of the file with the current time. Below is an example of creating an empty file and then updating its modification time:
|
||||
tuckerm@apollo:~> ls -l some-file.txt /usr/bin/ls: some-file.txt: No such file or directory tuckerm@apollo:~> date Tue Feb 1 17:09:06 GMT 2005 tuckerm@apollo:~> touch some-file.txt tuckerm@apollo:~> ls -l some-file.txt -rw-rw-r-- 1 tuckerm tuckerm 0 Feb 1 17:09 some-file.txt tuckerm@apollo:~> tuckerm@apollo:~> date Tue Feb 1 17:11:53 GMT 2005 tuckerm@apollo:~> touch some-file.txt tuckerm@apollo:~> ls -l some-file.txt -rw-rw-r-- 1 tuckerm tuckerm 0 Feb 1 17:11 some-file.txt tuckerm@apollo:~> |